January 13, 2015

German investigation of the cooperation between NSA and BND (III)

This is part III about the German parliamentary committee which investigates NSA spying activities and the cooperation between NSA and the German foreign intelligence service BND.

The hearings of a number of BND employees which are summarized below, provided many interesting details about BND cable and satellite collection and how these data are selected and filtered and how privacy rights are implemented. This was especially of concern for the cooperation between NSA and BND in the Joint SIGINT Activity (JSA).

The witnesses also stated that contrary to the initial press report, under the joint operation Eikonal not a single German communication was passed on to NSA.

These summaries are based upon transcripts of a live blog, kept by volunteers of the German digital civil rights website Netzpolitik.org, who attended the hearings.
The employees of the BND are designated by initials, not of their real names, but of those of the cover names they are using when at work(!).

- Hearing of the witness Mr. T. B. (BND, head of the JSA unit from 2003-2007):

In Bad Aibling, the BND has dishes to intercept satellite communications. When satellite links are intercepted, the following things have to be done: first a specific frequency has to be selected, and as one frequency often contains multiple channels, these have to be broken down (de-multiplexed) into single data streams. Based upon metadata it can be decided that certain types of communications are not of interest for BND.

The next step is to separate the various content encodings, like for IP-traffic, telephony, fax, etc. This also needs error correction, which sometimes is a bit more difficult because some communication systems use proprietary methods. This results in data in a readable or audible format (like an e-mail or a phone call), which can be used to prepare an intelligence report. The witness estimates that BND produces around 20 reports a day.

For processing, filtering and selecting commercial computer systems were used, as wel as systems that were custom made by NSA. The Americans were ahead of BND in this, not necessarily better, but often just in doing more, or faster, like in analysing signals.

Compare: the data flow at NSA, according to a presentation
from the NSA's European Cryptologic Center (ECC)(Click to enlarge)

Mass surveillance?

The witness stated that there was and is no mass surveillance by BND. Mass surveillance is even more difficult for fiber optic cables than for satellite links. If there would be any mass surveillance for the latter, then this should involve some 300 communications satellites, for which there should be ground stations at at least three places around the world.

There you would need 250 satellite dishes of 10 million euros each to receive the up to 500 frequencies per satellite. For each frequency two modems and converters were needed, and with the necessary processing capacity, this would require a nuclear power plant for electricity.

Mass surveillance on cable traffic could probably only be done with the capacity of the American, Russian and Chinese intelligence agencies combined. For BND, mass surveillance would drown the agency in data. The witness had never witnessed any kind of economical espionage by NSA in Germany. But he had to admit that not everything was talked about.

Joint SIGINT Activity (JSA)

NSA's Bad Aibling Station was scheduled for closure in 2002, but after 9/11 this was postponed to 2004, and maybe this led to the creation of the JSA. In the Joint SIGINT Activity, NSA and BND cooperated in collecting both satellite and cable communications.

The JSA was located at the Mangfall Barracks in Bad Aibling. In 2002, this military complex still had a compound of the Bundeswehr, where you had to go through to reach the BND section. The Bundeswehr left these barracks by the end of 2002, and NSA went to a new building nicknamed the Tin Can (Blechdose).

The compound had three sections: one for Germans only, one for US persons only and one common section. The collection of data took place in the common section, and the exits were strictly monitored, so NSA had no access to German sources on its own, although there weren't every day checks on people carrying thumb drives.

BND personnel had no access to NSA databases and vice versa, but both had access to joint databases. NSA had also some contractors working there. JSA was connected to NSANet, just like NSA's European Security Operations Center (ESOC, now the European Cryptologic Center (ECC)) near Darmstadt.

Until 2007 only cable traffic from Frankfurt was passed on to JSA, not from other internet cables. Satellite traffic intercepted by the BND antennas in Bad Aibling was probably also transferred to JSA, where it was processed and analysed in the interest of both NSA and BND.

After the Joint SIGINT Activity (JSA) was closed in 2012, the logical path over the physical cables between BND headquarters and Bad Aibling was probably cut off. After 2012, BND continued to cooperate with NSA in the field of satellite interception and operations in Afghanistan.

Google Maps view of the Mangfall Barracks in Bad Aibling, Germany.
The building in the upper left corner could be the BND facility,
and the one with the white roof the NSA's "Tin Can".

Protection of German data

BND did everything to prevent that communications of German citizens or corporations were collected and/or passed on to NSA. Initially, 4 out of 5 selectors came from the Americans, the rest were German. The witness did not know the total number of selectors. These selectors were checked before they were fed into the collection system, and what came out was again checked whether it contained German communications.

The selectors from NSA were first checked by the Americans in the Tin Can at the Mangfall Barracks and then passed on to a unit of the technical division (which included lawyers) of BND at its then headquarters in Pullach. A final check was conducted by BND personnel in Bad Aibling. Only about one permille of the selectors were rejected because they were related to Germans or contrary to German interests.

Filtering out German data

This filtering works fine, but experience in Bad Aibling has learned that it is not possible to do this fully automated. Therefore, there was no automatic forwarding to NSA. A 100% accurate filtering was only possible with a final selection by hand. As far as the witness was aware of, not a single German communication was passed on to NSA.

In the press report about operation Eikonal it was said that the filter system could only filter out 95% of German communications, but according to the witness, this was only during the test period. When the system went live, this percentage rose to 99% with a second stage that could filter out even more than 99%. When necessary, a final check was conducted by hand.

Especially e-mail addresses have to be checked by hand, because nowadays it's much more difficult to attribute such internet communications to specific countries. During the test period, about 3000 communications had to be checked by hand, 300 of which were e-mails. BND didn't collect data from US citizens or passed these on to NSA, so NSA did not use BND to get data that it wasn't allowed to collect by itself (Ringtausch).

The witness suggested that Süddeutsche Zeitung (the media that claimed that the BND filters wouldn't work and German data was forwarded to the NSA) had documents of conversations between BND and NSA, in which maybe BND made "political statements" about the efficiency of the filters.

(This could explain the discrepancy between the press reports and the BND witnesses,
who all assured that the filter worked, and with additionally manual checks not a single German data was forwarded to NSA)

The witness clearly stated that German G-10 Act only protects Germans and people living in Germany. The privacy of foreigners living abroad is not protected by German law.

Operations center room in the former BND headquarters in Pullach(Screenshot from ARD television - Click to enlarge)

- Hearing of Ms. G. L. (BND, head of IT development and operations at JSA from 2007-2008):

This witness is responsible for databases that store data after having been collected and filtered. These databases are at various locations. Currently, between 8.000 and 10.000 pieces of content with some additional information (Meldungen) come in each month, often but not always accompanied by metadata.

Joint SIGINT Activity (JSA)

Each unit of BND's analysis division (Auswertung) could request intelligence information from the JSA. They could suggest specific selectors to be tasked or articulate what their information needs were. Ultimate goal was to present relevant information for the federal government. BND sees itself as a service provider for customers in the government.

In 2005/2006 the selection process was fully automated. The witness couldn't remember how many selectors were used in her period at JSA. These numbers were also not registered. NSA was not able to get any German communications before these were thoroughly filtered and checked by BND. An e-mail that was selected, could be forwarded to NSA through a secured gateway. There was only access to local databases, not to those of NSA.

NSA employees working for JSA were not recognizable as such, they just had ID cards for the compound, issued by the security unit that was responsible for access control of the premises. The Tin Can building also housed SUSLAG (Special US Liaison Activity, Germany), which was a separate unit, different from JSA.

Header of a newsletter from the Joint SIGINT Activity (JSA)
(Click for a JSA newsletter (pdf) from 2007)

Operation Eikonal

The witness confirmed that in Frankfurt fiber optic cables were intercepted (operation Eikonal), although without mentioning whether this was at DE-CIX or somewhere else. She wouldn't answer the question whether BND is still doing this.

The data collected in Frankfurt were first sent to BND headquarters and then to Bad Aibling, where they were filtered by selectors from both NSA and BND. After the cooperation with NSA was ended, the transmission to Bad Aibling was cut off.

Legal issues

The witness was responsible for the implementation of the Federal Intelligence Service Act (BND Gesetz), which governs the activities of this agency. As such, she had the opinion that satellite interception conducted in Bad Aibling also took place under this act, but the Director of BND overruled her, saying this was not the case.

The BND management said: this kind of collection takes place in outer space, and therefore German law doesn't apply. But apart from that, employees should always apply with law and order. Once data collected from satellite links had been stored in BND databases, they fall under the German Data Protection Act (Bundesdatenschutzgesetz) though.

(In general, most of these witnesses didn't knew much about topics that are not related to their own duties. They also showed very little interest in the Snowden-revelations. This might be from a common attitude in the intelligence world: the less you know, the less you can (accidently) give away)

The witness stated that BND is definitely not comparable with the former East German Stasi and that BND only collects what is necessary for fulfilling the information need of the federal government.

Today, mainly fiber optic cables are intercepted, but not everything that flows through, only specific data channels are selected, or in case of satellite links: specific frequencies. Asked about the Snowden-revelations, the witness said that he was surprised by how close the Five Eyes partners are cooperating.

Tapping internet cables

There are search profiles and criteria according to which specific data flows are selected in a very focussed way. The first selection is of a route between two places (like from Afghanistan to Pakistan), then a specific fiber optic cable is chosen.

These are human decisions, based upon where a cable is located, by which company it is operated and where it's most useful to tap it. Picking a specific cable is also discussed with the provider, with some of them this is easier than with others.

Because internet traffic travels over many different routes, picking specific cables, means that a lot of communications cannot be collected. This is taken for granted as BND doesn't want to collect everything. Sometimes multiple routes are selected for interception, but not always.

According to the witness, BND doesn't provide foreign intelligence agencies access to cables. No raw data are transferred to foreign agencies, only end reports.

In some cases, internet data have to be converted into a readable format. This sometimes means cracking encryption, consisting either of complex algorithms or proprietary methods. This can be done on the traffic as it flows past, or with data after having been stored in databases.

Filtering

The next step is filtering the data through selectors. This is done by a computer system, for which the data stream may be buffered for a few milliseconds. The amount of data flowing through these filter systems isn't counted by BND. Filtering by selectors is done as close to the actual tapping point as possible.

The selectors are chosen based upon the information needs and a set of criteria, which in combination prevent that communications of innocent people are touched. The results went to the (then) BND headquarters in Pullach over leased cables. The number of data forwarded to Pullach is not registered, it depends upon the costs of the capacity for transmission.

The constitutionally guaranteed Privacy of Correspondence can have effect on each of these selection stages: for example no cables are chosen that start and end in Germany, and no selectors belonging to Germans are used.

Data of Germans are currently filtered out by a system called DAFIS, which succeeded a BSI-certified filter system that was used since the 1990s. Data from German citizens and German companies (Grundrechtsträgern) are deleted.

After data have been selected, they are pulled out based upon their relevance and finally analysts can use them at a certain moment to write an intelligence report, of which approximately 20 a day are produced.

Operation Eikonal

Regarding the joint NSA-BND operation Eikonal, the witness said that there was no massive scale surveillance of German citizens with data forwarded to NSA. Under Eikonal, which was a one of a kind operation, there was targeted collection from traffic that transited Germany from one foreign country to another.

This was focussed on Afghanistan and anti-terrorism. Selected data were collected and forwarded to NSA. The witness would give more details only behind closed doors, because BND is still using these methods. The internal codename for Eikonal was Karat, but that name wasn't shared with NSA. There was even a third codename. Eikonal was tested during a few months (early 2006?), during which period no data were shared with NSA.

For Germany, Eikonal was useful because it provided foreign intelligence for protecting German troops and countering terrorism. The NSA provided better technical equipment that BND didn't had. In return, BND provided NSA with data collected from transit traffic using search profiles about Afghanistan and anti-terrorism. BND was asked to cooperate because NSA isn't able to do everything themselves.

What was collected under Eikonal was far less than the 500 million metadata a month as shown in the German BOUNDLESSINFORMANT chart. Actual collection only led to a few hundred selected contents (in German: Daten, like phone calls or e-mails) a year, which was a huge disappointment for NSA. Nothing that was worth while came out anymore, contrary to the expectations when the operation was set up.

This, combined with the fact that it proved to be impossible to 100% guarantee that no German data were collected and forwarded, led BND to terminate the program. As a "compensation" for NSA, a joint project in a country outside Europe was planned. In crisis regions, the BND is still cooperating with NSA, which provides "huge benefits" for the Germans, according to the witness.

The witness wouldn't say anything about whether BND was tapping into the Frankfurt internet exchange DE-CIX, but later on he said that operation Eikonal involved just one telecommunications provider.

(These kind of indications by some of the witnesses eventually led the Committee to conclude that operation Eikonal was actually about tapping one single cable of Deutsche Telekom, instead of the DE-CIX exchange as a whole, as the initial report by Süddeutsche Zeitung said. More about this later)

Things the BND learned from the Eikonal-cooperation were:

1. How the technique worked, which is now used for own operations outside, and collection efforts inside Germany
2. It is not possible to conduct 100% automated filtering. This wouldn't be done anymore.

Filtering through selectors

For Eikonal, the cable traffic was filtered by using selectors provided by both NSA and BND. A BND unit which included lawyers checked for every selector from the NSA whether it was legal and according to the goals of the cooperation. Besides German interests, also the interests of friendly countries were taken into account. Only a few selectors were rejected, but it wasn't told to NSA which ones. They were just not entered into the filtering system.

Selectors include not just phone numbers and e-mail addresses, but also MAC addresses, which have no country identifier. Although there may have been up to several hundred thoused selectors, BND was still able to check whether every single one was appropriate, this by using special criteria. Only selectors that can be checked are used.

Besides Eikonal, BND also taps into cables of multiple other communication providers, but this is within the proper legal framework, approved by the G-10 Committee. For this, there is dedicated hardware equipment in the building of the provider, in accordance with the regulations of the federal communications authority (Bundesnetzagentur). This hardware is installed at the point where the cable is tapped.

Screenshot from NSA's BOUNDLESSINFORMANT tool, showing the number of foreign
metadata that BND collected in crisis regions and shared with NSA(Click to enlarge)

Telephony metadata

According to the witness, one phone call creates between 30 and 50 metadata, which includes not only time and number but also a lot more technical data. With the given number of users in a crisis zone, this easily adds up to billions of metadata. But not all these have to be collected (erfasst); less than one percent can actually be pulled in. This is no mass surveillance without a reasonable ground (anlasslose Massenüberwachung). The witness assumes that NSA and GCHQ operate in a similar way as the BND.

The over 500 million metadata records from the Germen BOUNDLESSINFORMANT chart were most certainly from Afghanistan, more precisely from satellite communication links between two foreign countries in crisis regions. According to the witness this huge number of metadata for a single month is quite normal.

It could be that these numbers are collected up to today, although he isn't sure about that. BND isn't counting every single part of metadata, as NSA is apparently doing and which leads to those huge numbers.

XKeyscore

BND got the XKeyscore program from NSA, which is only used to analyse data that are already collected. BND didn't had such a tool before. Unlike NSA, which uses Xkeyscore as federated query system, BND uses it as a stand-alone system for analysis. The actual collection systems of BND are antennas and outposts (Aussenstellen).

The witness doesn't know how many servers BND purchased for XKeyscore. Presently, BND uses XKeyscore only for traffic that is intercepted from satellite links, apparently because the system isn't (yet) certified for filtering out communications of German citizens. BND got no software programs from NSA for profiling or for decrypting data.

Legality

Personal data are only those data that can be related to specific persons. For German data it is easy to retrieve the identity behind certain metadata, but for foreign metadata this is much more difficult and hence those metadata are not seen as personally identifiable information.

The witness said multiple times that he isn't a lawyer and he therefore had no opinion of his own about the legality of certain decisions. He also didn't knew whether data collected in foreign countries had been acquired with or without the consent of the provider. He just assumed that the data collection takes place in a legal way. Foreign partner agencies don't provide BND with data they are not allowed to collect themselves.

- Because of time shortage, the BND employees L. and W. P. couldn't be heard in this meeting.

> Next time: More hearings of BND employees

UPDATE:
Meanwhile, the following numbers about government eavesdropping operations in 2013 have been made public. These numbers are only about the interception of communcations with at least one-end-German, so traffic with both-ends-foreign are not included:

- The G10 Committee approved 212 eavesdropping operations, most of them were conducted by the domestic security service BfV (up from 157 in 2012). This involved some 350 people, most of them suspected of islam fundamentalism.

- In 26 cases, the domestic security service BfV used an IMSI-catcher to trace or intercept the mobile phone of 29 persons (more as twice as often as in 2012)

- BND is allowed to filter communications by using selectors. If Germans could be involved, it is not allowed to use selectors that identify specific targets (like phone numbers and e-mail adresses), so in that case, only generic search terms (keywords) may be used.

- The official report (pdf) provided the following numbers of approved search terms, of what was filtered out and of what was marked as relevant for foreign intelligence purposes:

US Red Phones

Sequence of the real Red Phones, not for the Washington-Moscow Hotline, but for the US Defense Red Switch Network (DRSN). The phones shown here were in use from the early eighties up to the present day and most of them were made by Electrospace Systems Inc. They will be discussed on this weblog later.

Contact

For questions, suggestions and other remarks about this weblog in general or any related issues, please use the following e-mail address: info (at) electrospaces.net

For sending an encrypted e-mail message, you can use the PGP Public Key under this ID: B4515E04

You can also communicate through Twitter: @electrospaces or XMPP/Jabber chat by using the address electrospaces (at) jabber.de

The title picture of this weblog shows the watch floor of the NSA's National Security Operations Center (NSOC) in 2006. The URL of this weblog recalls Electrospace Systems Inc., the company which made most of the top level communications equipment for the US Government. All information on this weblog is obtained from unclassified or publicly available sources.QW5kIGZpbmFsbHksIHRoaXMgaXMgd2hhdCBhIHRleHQgbG9va3MgbGlrZSwgd2hlbiBpdCdzIG9ubHkgZW5jb2RlZCB3aXRoIHRoZSBzdGFuZGFyZCBCYXNlNjQgc3lzdGVtLiBHdWVzcyBob3cgY29tcGxpY2F0ZWQgaXQgbXVzdCBiZSB3aGVuIGEgcmVhbCBzdHJvbmcgYWxnb3JpdGhtIHdhcyB1c2VkLg==